diff options
Diffstat (limited to 'meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch')
-rw-r--r-- | meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch | 146 |
1 files changed, 146 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch new file mode 100644 index 0000000000..fafd3c2033 --- /dev/null +++ b/meta/recipes-devtools/git/git-2.3.0/CVE-2015-7545_4.patch @@ -0,0 +1,146 @@ +From f4113cac0c88b4f36ee6f3abf3218034440a68e3 Mon Sep 17 00:00:00 2001 +From: Blake Burkhart <bburky@bburky.com> +Date: Tue, 22 Sep 2015 18:06:04 -0400 +Subject: [PATCH] http: limit redirection to protocol-whitelist + +Previously, libcurl would follow redirection to any protocol +it was compiled for support with. This is desirable to allow +redirection from HTTP to HTTPS. However, it would even +successfully allow redirection from HTTP to SFTP, a protocol +that git does not otherwise support at all. Furthermore +git's new protocol-whitelisting could be bypassed by +following a redirect within the remote helper, as it was +only enforced at transport selection time. + +This patch limits redirects within libcurl to HTTP, HTTPS, +FTP and FTPS. If there is a protocol-whitelist present, this +list is limited to those also allowed by the whitelist. As +redirection happens from within libcurl, it is impossible +for an HTTP redirect to a protocol implemented within +another remote helper. + +When the curl version git was compiled with is too old to +support restrictions on protocol redirection, we warn the +user if GIT_ALLOW_PROTOCOL restrictions were requested. This +is a little inaccurate, as even without that variable in the +environment, we would still restrict SFTP, etc, and we do +not warn in that case. But anything else means we would +literally warn every time git accesses an http remote. + +This commit includes a test, but it is not as robust as we +would hope. It redirects an http request to ftp, and checks +that curl complained about the protocol, which means that we +are relying on curl's specific error message to know what +happened. Ideally we would redirect to a working ftp server +and confirm that we can clone without protocol restrictions, +and not with them. But we do not have a portable way of +providing an ftp server, nor any other protocol that curl +supports (https is the closest, but we would have to deal +with certificates). + +[jk: added test and version warning] + +Signed-off-by: Jeff King <peff@peff.net> +Signed-off-by: Junio C Hamano <gitster@pobox.com> + +Upstream-Status: Backport +https://kernel.googlesource.com/pub/scm/git/git/+/f4113cac0c88b4f36ee6f3abf3218034440a68e3%5E%21/ +CVE: CVE-2015-7545 patch #1 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + Documentation/git.txt | 5 ----- + http.c | 17 +++++++++++++++++ + t/lib-httpd/apache.conf | 1 + + t/t5812-proto-disable-http.sh | 9 +++++++++ + 4 files changed, 27 insertions(+), 5 deletions(-) + +Index: git-2.3.0/Documentation/git.txt +=================================================================== +--- git-2.3.0.orig/Documentation/git.txt ++++ git-2.3.0/Documentation/git.txt +@@ -1049,11 +1049,6 @@ GIT_ICASE_PATHSPECS:: + + - any external helpers are named by their protocol (e.g., use + `hg` to allow the `git-remote-hg` helper) +-+ +-Note that this controls only git's internal protocol selection. +-If libcurl is used (e.g., by the `http` transport), it may +-redirect to other protocols. There is not currently any way to +-restrict this. + + + Discussion[[Discussion]] +Index: git-2.3.0/http.c +=================================================================== +--- git-2.3.0.orig/http.c ++++ git-2.3.0/http.c +@@ -8,6 +8,7 @@ + #include "credential.h" + #include "version.h" + #include "pkt-line.h" ++#include "transport.h" + + int active_requests; + int http_is_verbose; +@@ -300,6 +301,7 @@ static void set_curl_keepalive(CURL *c) + static CURL *get_curl_handle(void) + { + CURL *result = curl_easy_init(); ++ long allowed_protocols = 0; + + if (!result) + die("curl_easy_init failed"); +@@ -352,6 +354,21 @@ static CURL *get_curl_handle(void) + #elif LIBCURL_VERSION_NUM >= 0x071101 + curl_easy_setopt(result, CURLOPT_POST301, 1); + #endif ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ if (is_transport_allowed("http")) ++ allowed_protocols |= CURLPROTO_HTTP; ++ if (is_transport_allowed("https")) ++ allowed_protocols |= CURLPROTO_HTTPS; ++ if (is_transport_allowed("ftp")) ++ allowed_protocols |= CURLPROTO_FTP; ++ if (is_transport_allowed("ftps")) ++ allowed_protocols |= CURLPROTO_FTPS; ++ curl_easy_setopt(result, CURLOPT_REDIR_PROTOCOLS, allowed_protocols); ++#else ++ if (transport_restrict_protocols()) ++ warning("protocol restrictions not applied to curl redirects because\n" ++ "your curl version is too old (>= 7.19.4)"); ++#endif + + if (getenv("GIT_CURL_VERBOSE")) + curl_easy_setopt(result, CURLOPT_VERBOSE, 1); +Index: git-2.3.0/t/lib-httpd/apache.conf +=================================================================== +--- git-2.3.0.orig/t/lib-httpd/apache.conf ++++ git-2.3.0/t/lib-httpd/apache.conf +@@ -118,6 +118,7 @@ RewriteRule ^/smart-redir-perm/(.*)$ /sm + RewriteRule ^/smart-redir-temp/(.*)$ /smart/$1 [R=302] + RewriteRule ^/smart-redir-auth/(.*)$ /auth/smart/$1 [R=301] + RewriteRule ^/smart-redir-limited/(.*)/info/refs$ /smart/$1/info/refs [R=301] ++RewriteRule ^/ftp-redir/(.*)$ ftp://localhost:1000/$1 [R=302] + + <IfDefine SSL> + LoadModule ssl_module modules/mod_ssl.so +Index: git-2.3.0/t/t5812-proto-disable-http.sh +=================================================================== +--- git-2.3.0.orig/t/t5812-proto-disable-http.sh ++++ git-2.3.0/t/t5812-proto-disable-http.sh +@@ -16,5 +16,14 @@ test_expect_success 'create git-accessib + + test_proto "smart http" http "$HTTPD_URL/smart/repo.git" + ++test_expect_success 'curl redirects respect whitelist' ' ++ test_must_fail env GIT_ALLOW_PROTOCOL=http:https \ ++ git clone "$HTTPD_URL/ftp-redir/repo.git" 2>stderr && ++ { ++ test_i18ngrep "ftp.*disabled" stderr || ++ test_i18ngrep "your curl version is too old" ++ } ++' ++ + stop_httpd + test_done |